Hi John,
On 11/14/23 20:07, John Levine wrote:
The chairs announced today that the below WGLC meant to say that some reactions
in support of this draft are needed for the document to move
forward. (In contrast to only asking for objections.)
I think the document is ready EXCEPT that we really need to reconcile
it and the notify draft. If there's going to be notifications, we
should say so now rather than hoping people notice there's some
slightly later RFC that updates this one.
I like this suggestion; indeed, the text doesn't currently mention
notifications. Suggest to add the following as the first or second bullet in
Section 4.3:
NEW
* The Parental Agent receives a notification from the Child DNS
Operator indicating that the Child wishes to have its CDS/CDNSKEY
RRset processed;
... followed by a short discussion of scanning vs. notifications right after
the bullet list:
NEW
Timer-based trigger mechanisms (such as scans) exhibit undesirable
properties with respect to processing delay and scaling; on-demand
triggers (like notifications) are preferable. Whenever possible,
Child DNS Operators and Parental Agents are thus encouraged to use
them, reducing both delays and the amount of scanning traffic.
In the absense of notifications, scanning would be rather expensive
since the registry would need to probe all the signalling domains for
every unsigned registrant. In some cases they might have a shortcut
like being able to AXFR signalling zones but in general you can't
count on it.
The current draft is unrelated to whether a parent performs CDS/CDNSKEY
scanning on unsigned children. https://github.com/oskar456/cds-updates
documents 9 registries and 2 registrars who already do so today.
In fact, all of these support the insecure bootstrapping method, which requires
them to repeat these queries multiple times over a few days, typically from
multiple vantage points, in order to gain some (non-cryptographic) confidence
in the integrity of the child's CDS/CDNSKEY records.
The authenticated bootstrapping protocol at hand would render these additional
queries (which are being performed today!) unnecessary, as the CDS/CDNSKEY
records' integrity can be verified immediately upon first discovery.
The current draft is thus expected to *reduce* the number of queries necessary
for scanning parents.
Best,
Peter
--
https://desec.io/
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
